Critical FreeRDP Memory Flaw Enables Code Execution and DoS Attacks

Ubuntu has released security update USN-8432-1 to address a critical vulnerability in FreeRDP, a popular open-source remote desktop protocol implementation. The flaw involves improper memory handling that creates an out-of-bounds heap write condition, potentially allowing attackers to execute arbitrary code or trigger denial of service attacks on affected systems.

The vulnerability affects Ubuntu 24.04 LTS and Ubuntu 25.10 distributions. Beyond the primary CVE-2026-45700 fix, this patch also resolves a regression introduced in a previous update and completes remediation for three related CVEs that were only partially addressed in earlier releases.

Organizations using FreeRDP for remote access infrastructure should prioritize applying this patch to prevent potential compromise of systems relying on the affected protocol implementation.

Vulnerability Details

• CVE-2026-45700 stems from incorrect memory handling in FreeRDP under specific conditions
• Out-of-bounds heap write can be triggered by remote attackers without authentication
• Exploitation could result in arbitrary code execution with the privileges of the FreeRDP process
• Denial of service is also possible through memory corruption and application crashes

Patch Scope and Affected Systems

• USN-8432-1 addresses the primary vulnerability and resolves a regression from USN-8105-1
• Completes fixes for CVE-2026-22858, CVE-2026-23732, and CVE-2026-25952 on Ubuntu 24.04 LTS and 25.10
• Organizations should verify FreeRDP deployment versions and apply patches immediately
• Remote desktop infrastructure and terminal server implementations are primary targets for exploitation

Sources

• USN-8432-1: FreeRDP vulnerabilities